Denying bad DNS HELO/EHLOs

August 16, 2023 by Roberto Puzzanghera 2 comments

Changelog

  • Aug 17, 2023
    - C++ version
  • Aug 13, 2023
    - v. 8.2.0 bug fix: segfault in case of no result in DNS record
    - default action changed to GNLR
  • Jul 27, 2023
    P will now pass through making all filters ignored. You are invited to remove this option if already using this program.
    - added G filter, i.e. HELO/EHLO with an invalid syntax are denied (random strings but also typing errors like sagredo..eu).
    - compile with -lpcre
    - code revision. Please report any issue.

The RFC-821 Section 3.5 states that 

The sender-SMTP MUST ensure that the <domain> parameter in a HELO command is a valid principal host domain name for the client host. As a result, the receiver-SMTP will not have to perform MX resolution on this name in order to validate the HELO parameter.

The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification.

Not denying clients with a bad HELO/EHLO DNS can be considered a wise thing, just to avoid to update too frequently our welcomelist for those clients who didn't set up their DNS properly.

On the other hand, it is a matter of fact that most spammers use fake domains -sometimes our own domains-, or even random strings or not solving domains, as their HELO/EHLOs.

For example, consider the following log lines (I have plenty of them in my logs):

2022-02-01 10:19:53.142643500 helo-dns-check: HELO [yq3H9cDKgS] from [109.237.103.41] doesn't solve
2022-02-01 09:53:05.772497500 helo-dns-check: HELO [sagredo.eu] is a local domain but IP [183.240.55.119] is not a RELAYCLIENT

I think that at least such kind of failures should be blocked.

I'll explain below how to set up a filter which denies clients with one of these particular DNS failures:

  1. HELO/EHLOs domains with an invalid syntax. Random strings but also typing errors like sagredo..eu will be banned.
  2. fake HELO/EHLOs containing one of our domains, when RELAYCLIENT is NOT set and the HELO/EHLO matches one of our IPs. You can safely turn on this one.
  3. not solving HELO/EHLOs domains (no A record). You'll get some false positive if you turn this on, as clients whose administrator forgot to add the A record will be banned.
  4. clients whose remote IP doesn't match the A record. This is completely against RFC-821, so my configuration will not refuse these connections by default, just log them.

We'll make use of a qmail-spp helodnscheck plugin that I derived from an original work of Perolo Silantico, Jason Frisvold with modifications by Ren Bing. Here is my modified program:

The logic of the original plugin is to deny clients of type 4, which of course includes types 1, 2 and 3, but without being able to select 1 and/or 2 and/or 3 from the others. My modified version, instead, can ban only clients of type 1 and/or 2 and/or 3 or work as the original program (4).

Installation and configuration

I assume that you have already patched qmail with qmail-spp. If you are using my combined patch you are ok.

Download, compile and install:

cd /usr/local/src
wget https://raw.githubusercontent.com/sagredo-dev/helodnscheck/main/helodnscheck.cpp
g++ -o /var/qmail/plugins/helodnscheck helodnscheck.cpp -lpcre

Now enable the plugin, adding it to /var/qmail/control/smtpplugins in the [helo] section:

[helo] 
plugins/helodnscheck

List all your IPs inside the file control/moreipme (you should have already done this if you configured the "moreipme" patch):

1.2.3.4
5.6.7.8

Then enable qmail-spp and set up the plugin parameters to your needs. I suggest the following in your qmail-smtpd run file:

export ENABLE_SPP=1 
export HELO_DNS_CHECK=RLNG

In this way only bad HELOs of type 1 (G) and 2 (N) will be denied unless RELAYCLIENT is defined (R). All other DNS failures will pass through and each of them will be logged (L).

If you want to disable the HELO_DNS_CHECK just comment out that line.

Be aware that the HELO check can't work well on the submission port, where your IP cannot match the HELO, so you don't have to define HELO_DNS_CHECK in your qmail-submission run file.

Of course you can define HELO_DNS_CHECK via tcprules or allow a particular IP via NOHELODNSCHECK as follows:

111.222.333.444:allow, NOHELODNSCHECK=""
:allow,HELO_DNS_CHECK="RNLG"

The program's behaviour is defined in the HELO_DNS_CHECK variable:

  • L - (default) Log
  • H - add Header "X-Helo-Check"
  • D - Debug mode (use with L)
  • R - (default) if "RELAYCLIENT" is set, don't do anything
  • P - passthrough, never deny. Use with L and/or H.

Filters are executed in the following order:

  • G - (Garbage, default) HELO/EHLO with an invalid syntax are denied.
  • A - Not solving hostname in HELO/EHLO are denied. This clients do not even have an A record. Using G together with A is redundant (just use A).
  • I - Same as A for backward compatibilty. Obsolete, will be removed.
  • N - (Not me, default) deny if RELAYCLIENT is NOT set and the HELO/EHLO's solves to one of our IPs contained in control/moreipme. localhost will be denied as well. Using N together with A is redundant (just use A).
  • V - Same as N for backward compatibilty. Obsolete and will be removed.
  • B - Block if the remote IP (TCPREMOTEIP) does not match the addresses solved. This is the original program's mode. Using G and/or A and/or N together with B is redundant (just use B).

The above can be combined, so BL means block & log.

If P is defined all filters are ignored.

The default option is GNLR, which is defined if HELO_DNS_CHECK has no argument (HELO_DNS_CHECK="").

Testing

 Test as follows:

HELO_DNS_CHECK="BLRD" \
SMTPHELOHOST="test.tld" \
TCPREMOTEIP="111.222.333.444" \
/var/qmail/plugins/helodnscheck

helo-dns-check: dbg: action is BLRD 
helo-dns-check: dbg: no_helo_check is (null) 
helo-dns-check: dbg: helo_domain is test.tld 
helo-dns-check: dbg: remote_ip is 111.222.333.444 
helo-dns-check: dbg: G filter 'nomatch': [2] 
helo-dns-check: dbg: no result in A record 
helo-dns-check: HELO [test.tld] from [111.222.333.444] doesn't solve 
R553 sorry, invalid host name in HELO/EHLO command. (#5.7.1) 
helo-dns-check: blocked with: invalid host name in HELO/EHLO command. [111.222.333.444]

Examples

tcprules usage

111.222.333.444:allow, NOHELODNSCHECK="" // allow IP 
:allow,HELO_DNS_CHECK="LB" // block & log others

qmail-smtpd run file usage

export HELO_DNS_CHECK=""     // defaults to GNLR
export HELO_DNS_CHECK        // HELO_DNS_CHECK turned off
#export HELO_DNS_CHECK       // HELO_DNS_CHECK turned off
export HELO_DNS_CHECK=RLGN   // allow RELAYCLIENT, log, ban malformed domains, ban clients with my own domains in their HELO/EHLOs (safe choice)
Limiting outgoing emails
Greylisting
hacks | qmail | qmail-spp
add a comment

Comments

plugins Directory not created

Howdy,

Just a minor thing, there is no '/var/qmail/plugins' directory, create with 

mkdir /var/qmail/plugins

Reply |

plugins Directory not created

GoofY

Thank you. I'll make that directory created at compilation time in the next release

Reply |

qmail notes

General notes

Preinstallation tasks

daemontools

fehQlibs

ucspi-tcp6

ucspi-ssl

qmail

vpopmail

Upgrading qmail

tcprules

Configuring

Testing

autorespond

ezmlm-idx

qmailadmin

Add-ons

RBL

Greetdelay

SPF

SRS

DKIM

SURBL

Limiting outgoing emails

Denying bad DNS HELOs

Greylisting

qmail-taps-extended

moreipme

qmHandle

queue-repair

vQadmin

rblsmtpd

Dovecot

Running

Testing

Filtering

Indexing

Expunging

vpopmail-auth driver removal

vpopmail-auth driver patch

Spamassassin

Filtering networks

User Prefs

TxRep and Bayesian

Learning and reporting

DMARC

Roundcube

Plugins

ClamAV

clamav-unofficial-sigs

simscan

Testing

fail2ban

Installing a valid SSL certificate

SQL valias with sieve

Mailman

ChangeLog

Asking for help, contributing to the project

Pay me a coffee:

PayPal - The safer, easier way to pay online.

LXC scripts

Introduction

Basic configuration files

Creating an unprivileged container

Scripts overview

Natting

Other contents

Converting a Linux installation to Slackware in OVH server

Running OpenBoard in a window

Migrating from Linux-VServer to LXC

Linux-VServer on Slackware

rsync backup via ssh

Running two php on the same server

Securing proftpd

Mounting remotely with sshfs and curlftpfs

Installing mariaDB

Setting up MySQL

SEO friendly URLs with apache mod_rewrite

Building your ownCloud

Building your own mozilla-sync server

Setting up Tex on Mediawiki

Slackware RSS feeds

English
Italiano
Recent comments

Dovecot login update timestamp in lastauth table
November 15, 2024 17:45 CET

Dovecot login update timestamp in lastauth table
November 15, 2024 12:04 CET

Dovecot login update timestamp in lastauth table
November 14, 2024 13:05 CET

Dovecot login update timestamp in lastauth table
November 14, 2024 08:39 CET

qmail-remove_chkuser_vpopmail.patch
November 14, 2024 05:54 CET

port 587 change TLS to SSL
November 14, 2024 05:51 CET

port 587 change TLS to SSL
November 14, 2024 03:30 CET

qmail-remove_chkuser_vpopmail.patch
November 14, 2024 01:00 CET

Can't telnet to port 25 until qmailctl reboot
November 13, 2024 05:45 CET

Can't telnet to port 25 until qmailctl reboot
November 13, 2024 04:55 CET

Can't telnet to port 25 until qmailctl reboot
November 12, 2024 10:38 CET

Can't telnet to port 25 until qmailctl reboot
November 12, 2024 06:40 CET

RoundCube Global Address Books
November 5, 2024 14:05 CET

RoundCube Global Address Books
November 5, 2024 13:17 CET

RoundCube Global Address Books
November 5, 2024 13:05 CET

See also...

smtp-auth + qmail-tls + forcetls patch for qmail

qmail-inject sieve vacation/reject messages trouble

Testing ESMTP-SIZE patch for qmail

Merry Xmas and happy new... patch!

Playing with qmail-spp

Restoring the maildirs in dovecot (maildir++ patch bug fix)

Email Address Internationalization for qmail. MAV from chkuser modified accordingly

Tags

apache chkuser clamav dkim dovecot ezmlm fail2ban forward github hacks lamp letsencrypt linux linux-vserver lxc mailman mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmail to postfix qmail-spp qmailadmin rbl roundcube roundcube plugins rsync sieve simscan slackware solr spamassassin spf srs ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin

Recent posts

Email Address Internationalization for qmail. MAV from chkuser modified accordingly

ChangeLog

Upgrading qmail

Installing Dovecot and sieve on a vpopmail + qmail server

VqAdmin

Installing and configuring vpopmail

daemontools

fehQlibs

ucspi-ssl - TLS encryption for Client/Server IPv6/IPv4 communication

ucspi-tcp6

RSS feeds